Recent cybersecurity findings reveal a sophisticated threat actor is actively exploiting multiple outdated FortiWeb appliances to deploy the Sliver Command and Control (C2) framework. This attack campaign highlights a growing trend where adversaries leverage open-source offensive tools to gain and maintain persistent access within compromised networks, often bypassing traditional security defenses. The attackers are prioritizing unpatched edge devices, effectively transforming them into stable entry points for broader network infiltration.
The infection process primarily involves exploiting public-facing vulnerabilities in FortiWeb devices, with reports indicating firmware versions 5.4.202 through 6.1.62 are targeted. While the precise vulnerability used for the FortiWeb compromise remains unconfirmed, the threat group has also been observed leveraging React2Shell (CVE-2025-55182) in parallel operations. Once initial access is established, attackers deploy the Fast Reverse Proxy (FRP) tool to expose local services, creating a direct bridge between the victim’s internal network and the attacker’s external control systems.
FortiWeb Appliances Exploited for Sliver C2 Deployment
Ctrl-Alt-Int3l analysts identified this malicious infrastructure during routine open-directory threat hunting on Censys, discovering exposed Sliver C2 databases and logs. These exposed assets provided a rare insight into the attacker’s operational methods, revealing a cluster of compromised devices communicating with centralized command servers. The investigation confirmed that a significant majority of the victim hosts were running outdated firmware, making them highly susceptible to this opportunistic yet targeted campaign.
The operational impact of these exploits is considerable, as it grants the threat actor long-term persistence on critical security appliances that are typically trusted within a network. By embedding the Sliver implant directly onto the firewall, attackers can potentially monitor network traffic and execute privileged commands. The campaign also demonstrates a strategic focus, with specific indicators suggesting targets in South Asia, evidenced by carefully themed decoy infrastructure.
Command and Control Strategy and Evasion Techniques
The threat actor’s infrastructure is meticulously built around decoy domains designed to mimic legitimate services. Analysis of the C2 configuration revealed domains such as ns1.ubunutpackages[.]store and ns1.bafairforce[.]army. These domains hosted deceptive content, including a fake “Ubuntu Packages” repository and a “Bangladesh Airforce” recruitment page, intended to mislead network defenders.
Attackers utilized specific Sliver commands to generate their payloads with advanced evasion capabilities. A retrieved command from the logs indicates a configuration to set the beacon to reconnect every 120 seconds and employ an “ubuntu” template, aimed at blending in with typical Linux processes. The resulting binary was deployed to /bin/.root/system-updater on the compromised FortiWeb devices, further masquerading as a legitimate system update utility.
This campaign underscores the persistent threat posed by unpatched legacy systems and the evolving tactics of threat actors utilizing publicly available offensive tools. The focus on edge devices like FortiWeb appliances highlights their attractiveness as initial entry points due to their position at the network perimeter. Organizations should prioritize regular patching and vulnerability management for all network-connected devices, especially those exposed to the internet.
Moving forward, cybersecurity professionals will be closely monitoring for any signs of further exploitation of similar devices or the adoption of new evasion techniques by this threat group. The continued use of open-source C2 frameworks like Sliver suggests a potential increase in sophisticated attacks targeting mid-sized organizations that may lack robust security resources. Continued vigilance and proactive defense strategies are crucial to mitigating the risks associated with such evolving threats.